Skip to main content

Revoking a session

Online mode

This is applicable when the user is online and you want to revoke their session via an API call from their frontend client.

Method 1: Call the signOut function from the frontend

What type of UI are you using?

Method 2: Call the revokeSession function post session verification on the backend

import express from "express";
import { verifySession } from "supertokens-node/recipe/session/framework/express";
import { SessionRequest } from "supertokens-node/framework/express";

let app = express();

app.post("/someapi", verifySession(), async (req: SessionRequest, res) => {

    // This will delete the session from the db and from the frontend (cookies)
    await req.session!.revokeSession();

    res.send("Success! User session revoked");
});

Offline mode

caution

This method of revoking a session will only delete the session from the database and not from the frontend.

This implies that the user will still be able to access protected endpoints while their access token is alive.

If you want to instantly logout the user in this mode, you should enable access token blacklisting.

This is applicable when the user is offline, or if you want to revoke their session from the backend.

Method 1: Revoke a session using its sessionHandle

import Session from "supertokens-node/recipe/session";

async function revokeSession(sessionHandle: string) {
    let revoked = await Session.revokeSession(sessionHandle);
};

You can fetch all of the sessionHandles for a user using the getAllSessionHandlesForUser function

Method 2: Revoke all sessions for a user

import express from "express";
import Session from "supertokens-node/recipe/session";

let app = express();

app.use("/revoke-all-user-sessions", async (req, res) => {

    let userId = req.body.userId
    await Session.revokeAllSessionsForUser(userId);

    res.send("Success! All user sessions have been revoked");
});
Multi Tenancy

By default, revokeAllSessionsForUser will delete all the sessions for the user across all the tenants. If you want to delete the sessions for a user in a specific tenant, you can pass the tenant ID as a parameter to the function call.